openui5 icon indicating copy to clipboard operation
openui5 copied to clipboard

Published 20 hours ago verified publisher icon SAP

OData v4: ODataModel.changeHttpHeaders allows adding illegal headers

Open vxmn opened this issue 6 years ago • 2 comments

OpenUI5 version: 1.72

I was trying to add an Authorization Header to all requests to a specific OData model. Headers added using changeHttpHeaders() adds the specified headers not only to the main HTTP request but also to every body part. There does not seem to be an option to add headers only to the main HTTP request. changeHttpHeaders() also includes headers which per specification must not be included in the body parts.

See: https://docs.oasis-open.org/odata/odata/v4.01/csprd06/part1-protocol/odata-v4.01-csprd06-part1-protocol.html#sec_MultipartBatchRequestBody

Each body part that represents a single request MUST NOT include:

authentication or authorization related HTTP headers
Expect, From, Max-Forwards, Range, or TE headers

ODataModel should provide a method to set HTTP headers for the main request and should also deal with illegal body part headers.

vxmn avatar Nov 26 '19 12:11 vxmn

Hello @vxmn , Thank you for sharing this finding. I've created an internal incident 1980462315. The status of the issue will be updated here in GitHub.

Regards, Tsanislav

tsanislavgatev avatar Nov 26 '19 14:11 tsanislavgatev

Hi @vxmn ,

thank you for reporting this. We have discussed this internally and cannot provide the improvement quickly. We will follow-up with Jira item CPOUI5ODATAV4-59.

Best regards Mathias.

uhlmannm avatar Nov 29 '19 15:11 uhlmannm